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Abstract —  As  cloud  computing  thrives,  many  organizations  - 
both  large  and  small  -  are  joining  a  public  cloud  to  take 
advantage  of  its  multiple  benefits.  Especially  public  cloud 
based  computing,  is  cost  efficient,  i.e.,  a  cloud  user  can  reduce 
spending  on  technology  infrastructure  and  have  easy  access  to 
their  information  without  up-front  or  long-term  commitment 
of  resources.  Despite  those  benefits,  concern  over  cyber 
security  is  the  main  reason  many  large  organizations  with 
sensitive  information  such  as  the  Department  of  Defense  have 
been  reluctant  to  join  a  public  cloud.  This  is  because  different 
public  cloud  users  share  a  common  platform  such  as  the 
hypervisor.  An  attacker  can  compromise  a  virtual  machine 
(VM)  to  launch  an  attack  on  the  hypervisor  which,  if 
compromised,  can  instantly  yield  the  compromising  of  all  the 
VMs  running  on  top  of  that  hypervisor.  This  work  shows  that 
there  are  multiple  Nash  equilibria  of  the  public  cloud  security 
game.  However,  the  players  use  a  Nash  equilibrium  profile 
depending  on  the  probability  that  the  hypervisor  is 
compromised  given  a  successful  attack  on  a  user  and  the  total 
expense  required  to  invest  in  security.  Finally,  there  is  no  Nash 
equilibrium  in  which  all  the  users  in  a  public  cloud  fully  invest 
in  security. 

Keywords-  Cloud  computing;  cyber  security;  externalities; 
game  theory;  interdependency 

I.  Introduction 

With  software  being  one  of  the  fastest  growing  industries 
in  the  United  States  [1],  when  its  security  is  overlooked  the 
inattentiveness  can  be  attributed  to  both  the  producer  and 
consumer.  This  can  have  far  reaching  implications,  from 
infrastructure  protection  to  the  home  computer  system. 
Internet  security  suffers  too  due  to  under-investment  from 
both  sides  of  the  market,  which  can  be  counterintuitive  since 
logic  dictates  that  prevailing  economic  forces  should  drive 
the  incentive  to  invest  on  both  ends.  This  is  not  the  case  for 
several  reasons,  including  perverse  incentives,  asymmetrical 
information,  and  interdependency  (we  will  elaborate  on  the 
meanings  of  these  terms  from  economics  in  the  appropriate 
parts  of  our  paper.)  However,  it  will  be  seen  that 
interdependency  underpins  all  these  causes  and  influences 
network  security  in  general.  The  preliminary  version  of  this 
paper  was  published  in  [27]. 

Due  to  the  fast  paced  nature  and  rapid  expansion  of 
developments  in  the  cyber  realm,  first  mover  advantages  can 
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be  enormous.  This  can  create  a  software  maker  philosophy  in 
which  “they’ll  ship  it  on  Tuesday  and  get  it  right  by  version 
3”  [16].  This  philosophy  clearly  can  neglect  many  security 
aspects  on  the  supply  side.  And  the  demand  side,  in  turn, 
cannot  truly  know  what  it  is  purchasing,  since  many  of  the 
vulnerabilities  could  go  undetected.  This  is  especially  true  in 
large  networks  with  limited  security  manpower.  The  idea  of 
“get  it  out  now  and  fix  it  later”  is  a  perverse  incentive  that  is 
created  by  the  demand  aspect  of  the  Internet  economy  since 
the  incentive  is  to  have  new  and  updated  versions  of  software 
as  fast  as  possible  but  the  unintended  is  a  product  that  is  rife 
with  bugs.  However,  because  of  information  asymmetry,  the 
consumer  usually  does  not  know  the  true  nature  of  the 
product  he  is  being  delivered.  This  is  because  many  times  the 
producers  do  not  know  the  true  security  of  their  own  product 
[16].  This  is  especially  true  with  emerging  fields  of 
computing  such  as  cloud  computing  [15].  And  it  is  indeed  a 
sizable  problem,  as  fears  of  leakage  of  sensitive  or 
confidential  data  poses  a  “significant  barrier  to  the  adoption 
of  cloud  services”  [17],  which  hinders  major  industry  players 
from  switching  to  cloud  platform  services,  stifling  its  growth. 
The  lack  of  product  knowledge,  product  testing,  and  trust  all 
establish  an  interdependent  relationship  between  producer 
and  consumer.  For  better  or  for  worse,  the  feedback 
mechanism  that  governs  economics  is  an  interdependent 
relationship  between  two  sides  of  trade.  It  allows  a  consumer 
to  send  signals  to  a  producer  so  that  maximum  utility  can  be 
reached  (i.e.,  Pareto  efficiency).  However,  the  examples  of 
perverse  incentives  and  information  inequality  (where  this 
feedback  mechanism  has  failed  in  unintended  and  undesired 
ways)  are  just  a  small  part  of  the  general  connectedness  of 
network  security.  In  fact,  network  security  is  just  another 
small  part  in  the  complex  infrastructure  system  of  any 
developed  nation.  And  as  we  will  see,  interdependency  is  the 
underlying  factor  in  this  large  network  of  infrastructures 
critical  to  the  operations  of  a  country. 

The  cloud  now  figures  largely  in  the  information 
infrastructure.  It  is  critical  because  of  its  rapidly  expanding 
size  and  scope.  This  is  especially  problematic  for  the 
aforementioned  problem  of  technology  outpacing  security. 
This  spurs  cloud  providers  to  furnish  expertise  in  security 
over  what  individual  organizations  (hereby  alternately 
referred  to  as  users )  would  do  on  their  own.  This  encourages 
more  users  to  join  the  cloud;  however,  the  cloud  then 
becomes  an  attractive  target  because  of  the  potentially  large 
payoff  of  a  cyber  attack.  What  is  more  notable  than  the 
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regular  security  issues  any  network  would  have  is  that  public 
clouds  exhibit  a  unique  type  of  interdependency  because  of 
the  ability  of  an  attacker  to  propagate  his  attack  through  the 
hypervisor  to  all  VMs  using  the  hypervisor.  This  eliminates  a 
very  important  aspect  of  regular  network  security  in  which 
an  attacker  would  have  to  go  through  a  multi-hop  process  in 
order  to  launch  an  indirect  attack.  Thus,  a  public  cloud  at  its 
current  stage  leaves  its  users  more  susceptible  to  a  ‘bad 
neighbor’  effect  where  an  unsecured  user  might  allow 
another  to  be  indirectly  attacked.  Although  our  focus  is  on 
public  clouds,  the  same  research  problems  may  also  exist  in 
private  clouds,  and  our  solution  is  also  applicable.  We  focus 
on  public  clouds  only  because  the  problems  are  more 
pronounced  in  public  clouds. 

In  a  dense  network  of  VMs,  an  attacker  may  launch  an 
indirect  attack  on  a  User  j  by  first  compromising  the  VMs  of 
User  i  and  then  attacking  User  j  as  a  prime  target.  This 
creates  a  risk  connection  between  the  users  of  a  cloud  where 
a  Targe’  player  (one  who  has  a  high  potential  loss)  may  not 
be  willing  to  use  cloud  services  due  to  the  risk  imposed  by  a 
‘small’  player  (low  potential  loss  from  a  successful 
compromise).  This  threat  is  worsened  when  a  small  player 
will  not  invest  in  security  measures  since  it  could  (correctly) 
rationalize  that  an  attacker  will  attack  the  larger  user  anyway, 
so  investing  would  be  pointless.  Definitely,  a  single  user  of  a 
public  cloud  cannot  protect  itself  if  other  users  are  not  doing 
the  same.  This  means  that  a  user  will  be  protected  if  it 
defends  itself  while  other  users  are  also  securing  their  asset. 
When  there  are  two  or  more  rational  entities  that  face 
interdependent  choices,  we  can  use  game  theory  to  model 
their  behaviors,  as  it  is  indeed  ’’the  study  of  mathematical 
models  of  conflict  and  cooperation  between  intelligent 
rational  decision-makers”  [5]. 

There  are  several  main  contributions  this  paper  makes. 
Primarily,  it  aims  to  model  these  behaviors  that  govern  the 
actions  of  different  users  in  the  cloud  using  game  theoretical 
concepts.  Along  with  modeling  the  choices  of  cloud  users,  it 
will  be  shown  that  the  low  profile  user  imposes  a  negative 
externality,  or  a  cost  imposed  unwittingly  upon  an  otherwise 
uninvolved  party — most  notably  the  larger  user.  This  will,  in 
turn,  spur  the  large  player  to  invest  more  often  than  the  small 
player  since  the  large  player  is  usually  the  prime  target.  The 
outcome:  there  is  no  Nash  equilibrium  in  which  all  the 
players  will  fully  invest  in  security.  Lastly,  we  will  prove 
that  the  probability  that  the  hypervisor  of  a  cloud  is 
compromised  given  a  successful  attack  on  a  VM  will 
determine  if  we  have  a  pure  or  mixed  strategy  Nash 
equilibrium. 

After  the  related  work  in  Section  II,  Section  III  will 
explain  the  cloud  architecture  common  to  the  public  cloud 
model  that  is  incorporated  into  our  game  model.  Section  IV 
will  explain  and  set  up  the  problem  in  the  context  of  game 
theory  and  diagram  the  problem  in  a  normal  form  game. 
Section  V  looks  at  the  results  provided  by  the  game  and 
maps  out  the  different  types  of  equilibrium  reached  given 
different  parameters.  Further,  Section  V  describes  and 
shows  the  equilibria  changes  in  accordance  with  changes  to 
the  game  parameters.  Section  VI  shows  the  numerical 
results  that  graphically  demonstrates  how  the  equilibrium 


changes  following  a  change  in  the  parameters.  Section  VII 
extends  the  model  beyond  one  attacker  and  two  users  so  as  to 
pave  the  way  for  possible  future  research  in  the  topic. 
Section  VIII  concludes  the  paper. 

II.  Background  and  Related  Work 

We  divide  the  related  work  in  five  subsections.  In 
Subsection  A  we  will  look  at  the  interdependent  nature  of  the 
critical  infrastructure  network  in  the  United  States  and  its 
connection  to  cyberspace.  In  Subsection  B  we  will  relate 
game  theory  and  its  connection  to  interdependency.  In 
Subsection  C  we  will  bring  together  game  theory  and 
network  security  with  no  intermediary.  With  Subsection  D 
game  theory  is  applied  to  cloud  computing.  Subsection  E 
deals  with  interdependency  and  cross-side  channel  attacks 
between  VMs. 

A.  Critical  Infrastructure  Defense  (and  lack  thereof 

Generally,  the  United  States  government  does  not 
interfere  in  the  affairs  or  operations  of  the  Internet  unless  it 
pertains  to  national  security.  However,  even  when  national 
security  is  at  stake,  the  government  is  ill-prepared  for  a 
response,  as  Dave  Clemente  argues  in  his  paper  [2].  The 
main  problem,  he  reasoned  in  his  thesis,  is  that  the 
infrastructures  critical  to  the  operations  of  the  United  States 
are  mislabeled  and  overstated  due  to  miscommunication  at 
the  local  and  national  governmental  levels.  This  causes  many 
infrastructures  that  are  not  critical  to  be  labeled  critical  (This 
is  nicely  stated  in  his  aphorism:  “When  everything  is  critical, 
nothing  is”).  The  problem  is  compounded  by  tying  all  these 
infrastructures  together  through  a  dense  network  of 
interconnectedness,  making  one  network  of  infrastructure 
dependent  on  another.  The  backbone  of  this  connected 
network  is  the  Internet,  which  is  becoming  increasingly 
relied  upon  and  only  furthering  the  deep  ties  these  sub¬ 
networks  already  have.  Unfortunately,  Clemente  argues,  the 
Internet  securitization  process  is  not  keeping  pace  with  the 
current  expansion  of  the  Internet  due  to  industry  pressures  to 
sacrifice  long  term  security  needs  for  short  and  mid-term 
speed  and  efficiency  needs.  And  until  the  critical 
infrastructure  is  taken  out  of  private  interests  (which  would 
cause  much  more  harm  than  good),  this  problem  will  persist. 
And  although  no  major  solution  was  mentioned  by 
Clemente — other  than  something  must  be  done —  a  much 
more  comprehensive  solution  was  laid  out  by  Kenneth 
Cukier  [3]. 

The  work  done  by  Cukier  and  his  colleagues  addressed 
many  of  the  issues  raised  by  Clemente.  The  main  issue  was 
that  there  is  an  underinvestment  of  security  within  the  critical 
information  infrastructure  of  the  United  States.  This  problem 
was  discussed  at  length  and  was  cast  as  a  symptom,  not  the 
disease.  The  underinvestment  was  due  to  many  underlying 
factors  such  as  informational  asymmetry  (companies  do  not 
know  the  extent  of  their  problem),  conflict  of  interest 
(government  interests  vs.  private),  and  interdependent 
security  (this  will  be  further  analyzed  in  the  context  of  game 
theory  later).  All  these  problems  aggregate  into  a  general 
deficiency  of  investment  in  cyber  security.  Although  this 
seems  like  an  economically  counterintuitive  outcome,  it  is  a 
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rational  one  given  the  constraints  of  various  aforementioned 
forces.  The  solution  offered  by  Cukier  was  essentially  an 
insurance  market  for  security  risk,  facilitated  by  a  favorable 
environment  created  by  the  government. 

Cukier  goes  on  to  state  that  many  private  companies  do 
not  know  the  extent  of  their  risk  because  of  a  reluctance  to 
share  their  vulnerabilities  with  others.  Insurance  companies 
will  not  insure  the  risk  since  they  do  not  have  access  to  the 
information  to  quantify  it.  This  creates  a  cat-and-mouse 
game  where  neither  the  insurance  market  nor  the  companies 
in  need  of  security  will  make  the  first  move.  This,  according 
to  Cukier,  is  where  the  government  can  step  in  and  facilitate 
transactions  of  sensitive  information  as  well  as  preserve 
anonymity.  The  creation  of  a  beneficial  environment  through 
incentives  and  information  exchange  can  create  a  market  for 
risk,  which  by  definition  will  reduce  risk  of  infrastructure 
sectors  (insurance  premiums  will  discourage  risky  business 
and  encourage  security  investing).  The  dissertation  of  Forrest 
Hare  [4]  reflects  these  sentiments  as  he  argues  that  there  is 
an  underinvestment  due  to  a  conflict  of  interests.  He 
contends  that  a  public-private  partnership  should  be  formed 
to  facilitate  the  transfer  of  information  and  to  increase  the 
incentives  of  private  firms  to  invest  in  security.  This  will 
lead  to  noticeable  positive  externalities  on  the  public  (since 
they  will  be  more  secure)  and  everyone  will  be  better  off  as  a 
result. 

Actually,  under  the  new  Executive  Order  13636 — 
Improving  Critical  Infrastructure  Cyber  security  [25],  the 
White  House  would  like  to  provide  incentive  to  private 
companies  to  voluntarily  adopt  a  Cyber  Security  Framework. 
The  Framework  is  a  partnership  with  the  owners  and 
operators  of  critical  infrastructure  to  improve  cyber  security 
information  sharing  and  collaboratively  develop  and 
implement  risk-based  standards.  The  Framework’s  goal  is  to 
share  cyber  security  information  such  that  the  United  States 
government  and  the  private  sector  may  better  protect  and 
defend  themselves  against  cyber  threats  and  reduce  cyber 
risk  to  critical  infrastructure.  In  fact,  a  security  breach  on  a 
government  contractor  (i.e.  a  private  company)  can 
compromise  multiple  government  programs.  This  shows  the 
interdependency  between  government  and  private  sector 
security.  The  White  House’s  Cyber  Security  Framework  is 
currently  under  development  at  the  National  Institute  of 
Standards  and  Technology.  The  Cyber  Security  Framework 
includes  a  set  of  standards  and  technological  approaches  to 
be  adopted  by  each  organization  to  minimize  cyber  risks. 

B.  Game  Theory  and  Interdependency 

Through  globalization,  firms  are  becoming  increasingly 
dependent  upon  each  other.  Thus,  it  would  be  logical  to 
assume  that  their  choices  would  reflect  the  actions  of  their 
competitors  and  benefactors  sharing  a  given  set  of 
information.  Game  theory  accurately  describes  these 
conditions,  as  it  is  poised  “the  study  of  mathematical  models 
of  conflict  and  cooperation  between  intelligent  rational 
decision-makers”  [5].  This  makes  the  case  for 
interdependency  among  firms,  as  the  actions  of  one  affects 
the  actions  of  many.  The  examples  of  interdependency 


observed  here  will  include  airline  security,  bankruptcy,  and 
vaccinations. 

Two  of  the  papers  from  the  National  Bureau  for 
Economic  Research  (NBER)  carefully  looked  at  multiple 
scenarios  involving  game  theory  and  the  subsequent 
interdependency  of  the  players  [6-7].  The  first  paper  looked 
at  discrete  and  mostly  static  games  [6].  It  was  shown  that 
with  airline  security,  one’s  own  investment  in  baggage 
security  was  heavily  dependent  on  the  choices  of  the  other 
airline  in  a  simple  two  player  game.  Here  one’s  own  security 
is  compromised  due  to  another  airline’s  lack  of  security  or 
complemented  by  the  reinforcement  of  the  rival’s  airline 
security.  It  was  shown  that  the  two  Nash  equilibria  that  exist 
in  a  simple  two  firm  game  occur  when  both  airlines  invest  in 
security  and  when  both  airlines  do  not  invest  in  security.  As 
stated  in  the  previous  subsection,  clearly  only  the  outcome  of 
both  investing  is  desirable.  However,  economic  costs  and 
initial  conditions  can  influence  the  firms  to  go  the  other  way 
and  to  not  investing.  With  government  regulation  or  other 
methods  to  tip  incentives  toward  investing,  an  economically- 
optimal  situation  can  be  achieved  with  a  little  tweaking. 
Similar  results  were  found  with  more  than  two  firms  since 
the  investing  of  one  firm  can  cause  multiple  firms  to  change 
their  decision  to  invest,  creating  a  cascade  effect  in  which 
one  firm  causes  another  to  invest  and  so  on.  Within  the  same 
paper  [6],  similar  results  were  derived  from  firm  bankruptcy. 
If  each  division  of  a  large  firm,  such  as  bank,  were  to 
undergo  risk  reduction  individually,  the  collective  risk  of  a 
firm  would  be  reduced.  However,  if  one  branch  takes 
exceptional  risks,  it  can  create  bankruptcy  for  the  whole  firm 
such  that  the  other  divisions  succumb  by  the  cascading 
effect. 

The  second  of  the  NBER  papers  demonstrated  the 
cascading  effect  [7].  Again,  the  airline  security  problem  was 
studied  but  in  much  more  depth  and  mathematical  rigor. 
They  proved  that  the  incentive  to  invest  is  heavily  dependent 
on  the  cost  of  investing  compared  to  the  benefit  derived  from 
both  investing  in  security.  The  cost  could  be  manipulated 
both  by  lowering  the  cost  of  investing  as  well  as  raising  the 
cost  of  not  investing. 

Unlike  an  organization  having  exclusive  use  of 
computational  resources,  the  resource  sharing  that  occurs  in 
the  cloud  enables  unforeseen  exploitation  of  weaknesses  by 
attackers.  Similarly,  the  commonality  of  computational 
resources  without  an  equal  commonality  of  user-instantiated 
security  creates  an  avenue  for  launching  an  attack  on  other 
tenants  i.e.,  a  negative  externality  due  to  interdependency 
and  resource  sharing. 

The  link  between  interdependency  and  game  theory  has 
been  clearly  established  along  with  the  connection  between 
network  security  and  interdependency  in  the  previous  two 
subsections.  In  the  next  section  we  will  show  the  application 
of  game  theoretical  concepts  to  network  security. 

C.  Applying  Game  Theory  to  Cyber  Security 

Sun  et  al .,  presented  a  model  of  investment  security  [8] 
where  they  simulated  a  security  game  between  two  arbitrary 
companies  having  to  decide  whether  to  invest  or  not  invest  in 
information  security.  The  payoffs  were  based  on  several 
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inputs  such  as  cost  of  investing  and  the  possible  loss  from  a 
security  compromise.  However,  the  most  important 
parameter  discussed  was  a  penalty  parameter  p  for  not 
investing.  It  was  shown  that  the  3  Nash  equilibrium 
strategies  produced  from  the  game  were  two  pure  Nash 
equilibria  (neutral  payoff  for  not  investing  and  a  positive 
payoff  each  for  investing)  and  one  mixed  strategy  that  was  a 
function  of  all  the  parameters.  The  pure  strategies  were 
shown  to  have  an  Evolutionary  Stable  Strategy  (ESS)  while 
the  mixed  strategy  was  not.  The  mixed  strategy  was 
demonstrated  to  be  a  focal  point,  as  a  strategy  on  either  side 
of  this  critical  point  ’tipped’  or  ’cascaded’  to  the  closer  ESS  at 
pure  Nash  equilibrium.  However,  p  was  shown  to  factor  in 
where  the  mixed  strategy  fell  between  the  two  pure  strategies 
on  the  probability  spectrum  of  0  to  1.  This  could  skew  the 
results  from  what  could  be  considered  ’normal’  and 
demonstrated  that  an  outside  force  such  as  the  government 
could  manipulate  the  penalty  parameter  in  order  to  achieve  a 
more  favorable  outcome. 

Even  though  the  previous  example  would  have  used  a 
central  manager  or  network  administrator  to  decide  if 
investing  was  the  correct  choice,  Kamhoua  et  al.  applied 
game  theory  to  nodes  in  autonomous  networks  [9].  They 
used  similar  constraints  with  similar  results:  there  are  3  Nash 
equilibria,  two  pure  and  one  mixed  with  the  mixed  strategy 
being  an  unstable  equilibrium.  This  resulted  in  a  cascading  of 
strategies  of  either  side  to  that  tended  toward  the  two  pure 
Nash  equilibria.  The  main  difference,  however,  is  instead  of 
a  penalty  parameter,  as  in  the  paper  of  Sun  et  al  [8],  there  is  a 
trust  parameter  which  the  initial  conditions  of  the  strategy 
heavily  depended  on.  The  trust  parameter  depended  on  how 
much  the  deciding  node  believes  that  other  node  will 
participate  in  a  security  mechanism.  The  main  conclusion  to 
draw  from  these  simulations  is  that  it  is  impossible  to  move 
from  the  low  trust  equilibrium  to  the  high  trust  equilibrium 
through  an  evolutionary  process.  In  the  replicator  dynamic 
model  [26],  the  final  state  depends  entirely  on  the  initial 
condition.  This  has  broad  reaching  implications,  from 
network  security  to  cloud  computing. 

In  Tamer  Basar’s  and  Tansu  Alpcan’s  book  [10],  they 
explain  the  devastating  costs  of  failure  to  properly  protect  a 
network.  They  show  how  an  attacker  can  infiltrate  a  network 
at  one  node,  but  spread  to  other  nodes  (or  infrastructures) 
due  to  contagion.  This  can  cause  a  spillover  effect  where  one 
node  affects  another  and  so  on.  The  end  result  is  that  network 
interdependency  is  created  and  that  one  unprotected  node 
causes  risks  at  all  the  other  nodes,  so  the  decision  of  one 
affects  the  outcomes  of  many.  Basar  and  Tansu  however 
only  applied  network  security  in  a  traditional  computer 
setting.  The  rise  and  expansion  of  cloud  computing  has  led  to 
many  questions  about  its  security.  To  raise  concerns  further, 
cloud  computing’s  annual  growth  is  rapidly  outpacing 
regular  computing  methods  by  a  significant  margin  [11].  In 
the  next  subsection  we  will  outline  details  on  its  expansion, 
tradeoffs  in  switching  to  cloud  platforms,  and  further 
research  in  cloud  security. 


D.  Interdependency  Analysis  in  Cloud  Computing 

According  to  the  National  Institute  of  Standards  and 
Technology  definition  of  cloud  computing,  some  of  the 
‘essential  characteristics’  that  come  with  the  term  include 
resource  pooling,  elasticity,  resource  optimization,  network 
access  and  on-demand  self-service  [12].  Though  this  can 
overcome  many  constraints  posed  by  traditional  computing, 
the  emerging  field  of  cloud  computing  currently  carries  some 
profound  tradeoffs.  Pearson  and  Benameur  outlined  several 
important  drawbacks  in  cloud  technology  such  as  privacy, 
security,  and  trust  concerns  [13].  However,  these  three 
problems  are  not  unrelated  to  each  other.  Security  within  the 
cloud  is  based  on  trust  of  the  provider,  and  privacy  is  based 
on  the  relevant  security  issues.  Trust  is  in  turn  built  on  the 
relationship  of  security  and  privacy  that  the  cloud  operator 
provides.  This  is  not  the  case  every  time,  since  not  all  cloud 
technology  has  these  aforementioned  problems  due  to  their 
diverse  nature.  Zissis  et  al.  [14]  differentiate  between  public 
and  private  cloud  structures  by  stating  that  private  cloud 
technology  is  for  inter-organizational  operations  and  no  third 
party  is  required  while  public  and  community  cloud 
computing  utilizes  a  third  party  for  a  variety  of  service 
platforms.  Such  service  platforms  that  cloud  computing 
provide  include  Infrastructure  as  a  Service  (IaaS),  Software 
as  a  Service  (SaaS),  and  Platform  as  a  Service  (PaaS). 

An  IaaS  cloud  provides  a  user  access  to  virtualized 
hardware,  presented  by  a  hypervisor  ( e.g .,  VMware,  Xen, 
KVM)  and  encapsulated  in  a  VM,  where  the  user  is  able  to 
deploy  and  run  arbitrary  software  including  operating 
systems  and  applications  on  the  underlying  shared  hardware. 
A  PaaS  cloud  provides  a  user  a  language-specific  platform 
(e.g.,  JVM,  .Net)  to  deploy  and  run  arbitrary  applications 
developed  using  the  given  language  on  the  underlying  shared 
platform.  A  SaaS  cloud  provides  a  user  access  to  a  particular 
application  (e.g.,  web-based  email,  document  editor)  where 
the  user  can  use  the  functionality  provided  by  the  underlying 
shared  application.  Although  these  different  levels  of  cloud 
services  can  be  built  separately,  it  is  increasingly  common  to 
build  a  high-level  cloud  service  using  resources  provided  by 
a  lower-level  one  (e.g.,  build  a  SaaS  on  resources  from  PaaS 
and  a  PaaS  on  resources  from  IaaS),  so  that  the  former  can 
benefit  from  the  elasticity  and  economics  provided  by  the 
latter.  Therefore,  although  our  paper  focuses  on  VM-based 
hosting  of  mission-critical  applications  in  an  IaaS  setting,  its 
outcomes  can  also  generate  an  impact  to  other  models  of 
cloud  computing  (further  information  can  be  seen  in  [14]). 
Although  private  clouds  do  share  some  of  the  benefits  and 
drawbacks  of  public  clouds,  the  issues  of  privacy,  security, 
and  trust  arise  from  mainly  public  cloud  platforms,  as  many 
of  the  users’  computing  capabilities  are  outsourced  to  a  third 
party  owner  who  leases  the  technology  in  a  variety  of  ways. 
Therefore  we  focus  on  the  public  cloud;  so  in  this  paper 
private  cloud  entities  will  not  be  discussed  further.  In  fact, 
private  clouds  allow  users  from  the  same  organization  to  run 
their  internal  applications  on  shared  resources.  Therefore,  in 
a  game  theoretic  sense,  there  should  be  less  conflict  of 
interest  among  private  cloud  users  since  they  belong  to  the 
same  organization. 
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As  stated  before,  these  problems  that  involve  the  public 
cloud  are  not  unrelated  as  they  all  underpin  a  unique 
relationship  between  the  third  party  provider  and  the  cloud 
user.  This  can  give  rise  to  interdependency  between  the  user 
and  the  operator  of  the  cloud.  If  we  apply  the  behavior  of 
network  nodes  as  described  in  [9]  to  a  cloud’s  VMs,  then  we 
can  see  that  cloud  computing  yields  very  interdependent 
structure.  Cloud  computing  gives  way  to  two  types  of 
interdependent  relationships:  cloud  host-to-client  and  cloud 
client-to-client. 

Client-to-client  interdependency  is  much  less  studied 
than  to  the  above-mentioned  cloud  host-to-client 
relationship.  Although,  it  can  still  carry  the  negative 
externalities  provided  by  the  first  relationship  since  a 
security  compromise  is  the  same  no  matter  where  it  has 
originated.  A  simple  example  of  this  involves  the  airline 
security  problem  found  in  [6]  and  [7]  where  a  bomb  infused 
baggage  is  sent  through  an  unsecured  airline,  which  in  turn 
reaches  a  heavily  secure  airline  because  no  inter-airline 
security  screening  is  used  (and  it  usually  is  not).  Thus,  an 
under-secure  airline  can  impose  negative  externalities  onto  a 
seemingly  secure  airline.  Similarities  can  be  drawn  to  two 
clients  operating  in  the  same  cloud  environment.  An  attacker 
can  compromise  an  unsecured  client  and  make  its  way  to  the 
more  secure  and  larger  client  through  the  hypervisor. 
However,  unlike  the  airline  interdependent  security  problem 
where  a  bomb  can  only  destroy  one  airline,  a  virus  in  a 
public  cloud  or  computer  network  can  compromise  many 
VMs  including  the  VM  in  which  the  attack  originated. 

We  have  already  seen  that  interdependency  lays  the 
foundation  for  game  theory  in  previous  subsections.  Indeed, 
this  scenario  between  two  clients  also  involves  two  or  more 
intelligent  rational  entities  with  conflicting  incentives. 
Analogous  to  the  previous  example,  a  small  firm  with  high 
overhead  will  see  little  point  to  invest  in  security  since  its 
cost  to  invest  is  most  likely  diminished  by  the  fact  it  has 
lower  possible  loss  from  being  compromised.  However,  a 
larger  firm  has  a  much  higher  potential  loss  from  being 
compromised,  especially  if  they  carry  sensitive  information 
(This  has  been  seen  in  [15]  when  large  firms  refuse  to  use 
cloud  computing  because  of  its  risks).  Thus,  a  rational 
attacker  might  attack  a  smaller  firm,  compromise  the 
hypervisor,  and  then  target  the  larger  firm  if  the  potential 
gain  from  a  successful  indirect  attack  outweighed  the 
potential  gain  from  a  direct  attack. 

E.  Interdependency  and  Cross-side  Channel  Attacks 

between  VMs 

The  support  for  security  isolations  from  existing  cloud 
systems  is  limited.  The  different  VMs  sharing  the  same 
resources  may  belong  to  competing  organizations  as  well  as 
unknown  attackers.  From  the  perspective  of  a  cloud  user, 
there  is  no  guarantee  whether  the  underlying  hypervisor  or 
the  co-resident  VMs  are  trustworthy.  The  shared  resource 
makes  privacy  and  perfect  isolation  implausible.  There  is  a 
risk  that  a  covert  side  channel  be  used  to  extract  another 
user’s  secret  information  or  launch  a  Denial  of  Service  (DoS) 
attack.  Cross-side  channel  attacks  between  VMs  are  possible 
in  a  public  cloud  when  the  VMs  share  the  same  hypervisor, 


CPU,  memory,  and  storage  and  network  devices.  Some  of 
the  resources  can  be  partitioned  ( e.g .,  CPU  cycles,  memory 
capacity,  and  I/O  bandwidth).  VMs  also  share  resources  that 
cannot  be  well  partitioned  such  as  last-level  cache  (LLC), 
memory  bandwidth,  and  10  buffers.  The  shared  resources 
can  be  exploited  by  attackers  to  launch  cross-side  channel 
attack.  Although  a  multi-tenant  public  cloud-computing 
environment  provides  various  advantages,  it  also  introduces 
new  challenges  and  concerns,  especially  on  security  issues. 
For  instance,  the  security  problems  on  a  shared  cloud 
resource  (e.g.,  cloud  storage  devices,  network  services, 
software  components,  etc.),  which  are  originally  rooted  from 
one  of  the  tenants  via  internal  vulnerabilities  or  external 
cyber-attacks,  may  eventually  affect  the  service  quality  and 
security  of  all  the  tenants  in  the  same  cloud-computing 
environment.  Unfortunately,  we  cannot  simply  assume  that 
there  would  be  a  single  authority  who  could 
comprehensively  maintain  all  the  possible  issues,  not  only 
technical  but  also  non-technical,  across  the  tenants. 

Moreover,  existing  cloud  service  providers  do  not 
provide  sufficient  security  guarantees  to  their  tenants.  In  fact, 
the  service-level  agreements  (SLAs)  of  representative  cloud 
providers  (e.g.,  Amazon  EC2/S3,  Windows  Azure,  Google 
Compute  Engine)  specify  only  the  provisions  related  to 
service  up  time,  and  there  is  no  mentioning  of  security  in 
these  SLAs  at  all. 

Many  researchers  have  investigated  the  cache  based  side 
channel.  Ristenpart  et  al.  [18]  show  that  a  malicious  user  can 
analyze  the  cache  to  detect  a  co-resident  VM’s  keystroke 
activities  and  map  the  internal  cloud  infrastructure  and  then 
launch  a  side-channel  attack  on  a  co-resident  VM.  Bates  et 
al.  [19]  demonstrate  the  ability  to  initiate  a  covert  channel  of 
4  bits  per  second,  and  confirm  co-residency  with  a  target  VM 
instance  in  less  than  10  seconds.  Li  et  al.  [23]  proposed 
several  techniques  to  protect  VMs  from  untrusted 
management  VM,  which  includes  modifying  the  hypervisor 
to  restrict  access  of  the  privileged  domain  to  the  memory 
mappings  of  the  VM,  encrypting  all  of  the  memory  pages 
and  vCPU  registers  before  they  are  accessed  by  the 
privileged  domain,  and  providing  a  hash  value  of  the  kernel 
image  to  be  compared  with  the  one  residing  on  the  VM. 
HyperSentry  [24]  enables  stealthy  in-context  measurement 
of  hypervisor  integrity  using  a  hardware  channel  to  trigger 
the  measurement  and,  using  the  system  management  mode, 
to  protect  the  measurement  agent’s  base  code  and  critical 
data. 

Given  the  danger  of  a  cross-side  channel  attacks,  some 
users  may  require  physically  isolated  resources  from  the 
cloud  provider.  Zhan  et  al.  [20]  introduce  HomeAlone  -  a 
defensive  tool  that  helps  users  determine  if  their  VMs  have 
an  exclusive  use  of  a  physical  machine.  HomeAlone  can 
detect  the  activity  of  an  intruder’s  co-resident  VM  by 
analyzing  a  portion  of  the  L2  memory  cache  set  aside  by  his 
VMs.  The  same  technique  can  be  used  to  detect  adversarial 
VMs  which  try  to  extract  information  through  the  side 
channel  due  to  their  usual  cache  activity  pattern.  This 
solution,  however,  requires  that  all  the  user  VMs  to  be  co¬ 
resident  which  is  often  difficult  to  achieve  and  makes  them 
more  vulnerable  to  hardware  and  hypervisor  failures. 


Approaches  that  dedicate  a  physical  machine  to  a  specific 
user  also  greatly  limit  some  of  the  benefit  of  a  public  cloud 
such  as  the  on-demand  dynamic  resource  allocation.  This 
means  that  a  user  can  no  longer  purchase  exactly  the  capacity 
they  require  when  they  require  it.  Therefore,  we  consider  in 
this  paper  only  schemes  in  which  the  VMs  from  different 
users  share  the  same  resources.  We  can  see  that  a  cross-side 
channel  attack  between  VMs  is  closely  related  to  the 
problem  of  interdependency  when  many  users  share  the 
same  resource  that  they  depend  on.  This  paper  provides  a 
comprehensive  analysis  of  direct  vs.  indirect  attack, 
collateral  damage,  and  negative  eternality  in  a  public  cloud. 

III.  System  Model 

Figure  1  illustrates  our  system  model:  A  public  cloud 
with  n  users  that  we  denote  User  1,  User  2  ...  User  n.  Each 
user  runs  several  applications  illustrated  by  Application  1 
...Application  k  in  Fig.  1.  Technically,  the  users  may  run  a 
different  number  of  applications  without  any  impact  on  this 
model.  The  different  applications  require  an  operating 
system  to  function  and  that  operating  system,  in  turn, 
manages  a  VM  in  the  cloud.  In  practice,  a  single  user  may 
use  several  operating  systems  or  numerous  VMs. 

However,  we  consider  the  architecture  in  Fig.  1  to 
simplify  the  exposition.  As  it  is  a  common  practice  in  a 
public  cloud,  we  consider  that  the  different  VMs  from  the 
different  users  share  the  same  hypervisor  and  hardware  as  in 
Fig.  1.  The  hypervisor  can  be  of  different  types  such  as  the 
Kernel-based  Virtual  Machine  (KVM),  Xen,  and  VMware. 
The  common  factor  is  that  the  VMs  share  the  same  platforms 
that  expose  each  user  to  collateral  damage. 

We  consider  the  possibility  of  a  random  hardware  failure 
to  be  a  rare  event  and  neglect  that  possibility  in  our  analysis. 
It  is  well  known  that  the  users’  security  heavily  depends  on 
the  cloud  provider.  We  are  analyzing  security 
interdependency  among  the  users;  therefore  our  model 
considers  that  the  attacker  compromises  the  hypervisor  in 
two  steps.  The  first  step  is  to  compromise  a  user’s  VM,  or 
masquerade  as  legitimate  user  to  obtain  a  VM  in  the  public 
cloud.  The  second  step  is  to  use  the  compromised  VM  to 
attack  the  hypervisor.  This  means  that  the  public  cloud 
provider  takes  all  the  necessary  measures  to  prevent  an 
attacker  from  directly  compromising  the  hypervisor  without 
using  a  compromised  VM.  This  is  to  separate  cloud  client-to- 
client  interdependency  and  cloud  host-to-client 
interdependency.  However,  any  model  that  analyzes  cloud 
host-to-client  interdependency  can  be  superposed  to  our 
model.  We  distinguish  two  types  of  attack  depending  on  the 
extent  of  the  consequence:  a  restricted  attack  and  an 
unrestricted  attack.  A  restricted  attack  on  User  i  only 
compromises  the  applications,  operating  system  and  VM  that 
belong  to  User  /;  the  hypervisor  is  not  affected  after  a 
restricted  attack.  An  unrestricted  attack  has  consequences 
that  can  cross  a  VM  to  reach  the  hypervisor,  i.e.  the 
hypervisor  is  compromised.  We  consider  that  all  the  users 
suffer  the  consequences  (damage)  if  the  hypervisor  is 
compromised.  This  is  because  an  attacker  that  compromises 
the  hypervisor  can  then  compromise  all  the  VMs  on  that 
public  cloud. 
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Figure  1 :  System  Model  Illustration 


We  can  see  that  an  unrestricted  attack  causes  collateral 
damage.  A  direct  attack  on  User  i  can  go  through  that  user’s 
VMs  to  compromise  the  hypervisor  and  ultimately  affect  the 
VM  of  another  User  j.  We  also  refer  to  this  as  an  indirect 
attack  on  j.  Thus,  each  user  in  a  public  cloud  can  suffer  from 
two  types  of  attack.  A  direct  attack  on  a  User  i  is  when  an 
attacker  primary  target  is  User  i.  Furthermore,  an  indirect 
attack  on  User  i  happens  when  an  attack  that  is  launched  on 
another  User  j  compromises  the  hypervisor  before 
compromising  User  i’s  VM. 

This  system  model  clearly  shows  that  cyber  security  in  a 
public  cloud  depends  not  only  on  a  particular  user  but  also 
on  any  other  user  of  the  cloud.  This  is  the  problem  of 
interdependency.  Section  IV  will  analyze  the 
interdependency  problem  from  a  game  theoretic  perspective. 

IV.  Game  Model 

This  section  considers  a  game  with  three  players:  An 
attacker  and  two  users  (User  i  and  User  j).  Section  VII  will 
extend  this  model  to  more  than  two  users  and  multiple 
attackers.  The  three  players  are  assumed  to  be  rational, 
which  means  that  each  player  has  an  understanding  of  the 
system  and  has  the  ability  to  perform  the  necessary 
calculation  to  only  take  the  actions  that  maximize  his 
expected  payoff.  The  attacker  has  two  strategies:  launch  an 
attack  on  User  i  (A  t)  and  launch  an  attack  on  User  j  ( Aj ).  The 
attacker  can  only  use  one  of  the  two  strategies  at  a  time.  The 
attacker  strategy  to  launch  an  attack  on  User  i  may  consist  of 
a  multi-stage  process  involving  steps  such  as  scanning, 
collecting  information,  credential  compromising,  executing 
attack  payload,  establishing  backdoor,  cleaning  footholds 
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and  avoiding  firewalls.  Choosing  to  invest  is  a  binary 
decision  for  each  user  in  which  the  two  users  can  either 
Invest  (I)  in  security  to  maintain  a  minimum  security 
standard  and  increase  their  protection  or  Not  invest  (N),  i.  e., 
there  is  no  partial  investment  in  security.  The  strategy  Invest 
may  consist  of  multiple  actions  such  as  system  monitoring, 
reconfiguration,  patching,  updating  software,  and  buying  a 
new  antivirus.  Investment  in  security  requires  a  total  expense 
e.  A  strategy  profile  is  a  3 -tuple  that  indicates  the  action  of 
each  player.  For  instance,  the  strategy  profile  {N ,  I,  Aj  ) 
indicates  that  User  i  does  not  invest  (N),  User  j  invests  (7), 
and  the  attacker  launches  an  attack  on  User  j  {Aj). 

The  probability  of  a  successful  attack  on  a  user,  given 
that  he  has  invested  in  security,  is  q7  and  the  probability  of  a 
successful  attack  on  a  user,  given  that  he  has  not  invested,  in 
security  is  qN.  We  assume  that 

0  <  qi  <  qN  <  1.  (1) 

We  have  q7  <  qN  because  any  rational  user  will  only 
invest  in  security  measures  that  diminish  his  chance  to  get 
compromised. 

The  probability  that  the  hypervisor  is  compromised  given 
a  successful  attack  on  a  user  is  denoted  n  .  Our  model 
considers  that  at  least  some  successful  attack  on  a  VM  will 
reach  the  hypervisor  or  that  n  >  0.  In  fact  n  =  0  means  that 
a  successful  attack  on  a  VM  would  never  reach  the 
hypervisor  which  would  be  a  strong  assumption.  We  also 
consider  that  not  all  the  successful  attacks  on  a  VM  can 
compromise  the  hypervisor  (  n  <  1).  Thus  we  have 

0  <  n  <  1.  (2) 

We  consider  that  there  is  a  high  profile  User  j  and  a  low 
profile  User  i.  In  case  of  a  security  breach,  the  high  profile 
user  incurs  more  loss  than  the  low  profile  user.  The  high 
profile  User  j’s  expected  loss  from  a  security  breach  is  Lj  and 
the  expected  loss  from  User  i  is  Lt.  Then  we  consider  that 

0  <Lt<  Lj.  (3) 

We  will  show  that  this  imbalance  affects  the  investment 
decision  of  each  player  and  may  yield  positive  and  negative 
externalities.  A  positive  (negative)  externality  is  an  action  of 
a  player  that  transfers  a  positive  (negative)  effect  onto  a  third 
party.  In  fact,  when  (high  profile)  users  in  a  public  cloud 
invest  in  security  to  protect  their  applications,  operating 
systems  and  VMs,  they  also  protect  the  hypervisor  which  in 
turn  protects  other  users  from  an  indirect  attack  or  cross-side 
channel  attack.  This  yields  a  positive  externality  to  other 
users  in  a  public  cloud.  On  the  contrary,  if  a  (low  profile) 
user  chooses  not  to  invest  in  security,  then  an  easy  attack 


path  to  the  hypervisor  is  created  and  thus  exposes  all  other 
users  of  a  public  cloud  to  a  cross-side  channel  attack.  This 
yields  a  negative  externality  to  other  users  in  a  public  cloud. 

The  accuracy  of  our  model  depends  on  the  correct 
estimation  of  the  probabilities  qIt  qN,  n  and  the  loss  L^and  Lj. 
We  propose  two  different  approaches  to  estimation.  The  first 
approach  is  the  QuERIES  approach  [21].  The  QuERIES 
approach  estimates  the  probabilities  and  costs  of  successful 
attacks  by  first  building  an  attack  graph  represented  as  a 
Partially  Observable  Markov  Decision  Process  (POMDP). 
Then  QuERIES  uses  a  controlled  red-team  experiment  and 
information  market  mechanisms  to  estimate  the  POMDP 
parameters.  The  outcome  of  an  information  market  is  a 
collective  estimate  of  a  quantity.  The  red-teams  have  real 
financial  incentives  for  making  correct  predictions  of  the 
POMDP  probabilities.  Finally,  the  POMDP’s  optimum 
policy  is  calculated  to  derive  the  different  probabilities  and 
cost. 

The  second  approach  to  estimate  the  relevant 
probabilities  and  cost  associated  with  our  model  is  based  on 
historical  data.  In  fact,  In  October  2011,  the  United  States 
Securities  and  Exchange  Commission  (SEC)  issued  a  new 
guidance  [22]  requiring  that  companies  disclose  cyber 
incidents  including  a  description  of  the  costs,  other 
consequences,  and  the  relevant  insurance  coverage.  Those 
data  can  now  be  aggregated  to  estimate  the  relevant 
probabilities  and  cost  associated  with  our  model. 

In  addition,  each  user  has  a  reward  R  from  using  the 
cloud  computing  services.  The  reward  R  can  be  calculated  as 
a  function  of  a  user’s  multiple  benefits  of  using  the  cloud 
such  as:  reduced  spending  on  technology  infrastructure;  easy 
access  to  their  information  without  up-front  or  long-term 
commitment  of  resources;  and  dynamically  grow  and  shrink 
the  resources  provisioned  to  an  application  on  demand. 

Finally,  we  consider  that  a  User  i  can  detect  and  identify 
a  co-resident  VM  from  User  j  in  the  cloud  via  side-channel 
analysis  as  in  HomeAlone  [20].  Further,  a  skillful  attacker 
will  first  scan  a  public  cloud  to  learn  about  the  different  users 
-  gaining  knowledge  of  their  weaknesses  and  vulnerabilities 
before  launching  an  attack.  Also,  each  of  the  following  can 
be  made  known  or  can  be  estimated  about  a  player  [21-22]: 
the  expected  loss  from  a  security  breach  and  the  related 
probability;  the  total  expense  required  to  invest  in  security; 
and  the  reward  from  using  the  cloud.  Therefore,  our  model 
assumes  that  the  player’s  identity,  strategy  and  payoff  are 
common  knowledge  among  the  players. 


TABLE  I:  GAME  MODEL  IN  NORMAL  FORM 


Attack  j 

User  j 

I 

N 

^3 

1 

1 

^3 

1 

1 

I 

R  —  e  —  q{Lj ; 

R  —  qNLj ; 

qinLi  +  q,Lj} 

qNnLi  +  qNlj} 

User  i 

{ R  -  q,nLi ; 

{  R  —  qN7iLi; 

N 

R-e  -  q,Lj ; 

R  —  qNLj ; 

qjnLi  +  qjLj} 

qNnLi  +  qNLj  } 

Attack  i 

User  j 

I 

N 

^3 

1 

1 

J" 

^3 

1 

1 

I 

R  —  e  —  qjizLj ; 

R  qiuLj) 

qiLi  +  qinLj} 

q,Li  +  q,nLj} 

User  i 

{R  —  qjsiLi ; 

{R  —  RNLt) 

N 

R  -  e  -  qNnLj ; 

R  -  qNnLp 

R N^i  "f  } 

Rn^i  "P  RNnLj  } 
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Table  I  shows  the  game  model  in  normal  form.  We  can 
see  that  Table  I  is  a  combination  of  two  tables  (left  and 
right).  The  left  table  shows  the  game  model  when  the 
attacker  targets  User  i.  Therefore,  User  j  can  only  be  subject 
to  collateral  damage  after  a  successful  attack  on  User  i  and 
compromising  of  the  hypervisor  (which  can  happen  with 
probability  qjU  if  User  i  invests  or  probability  qNn  if  User  i 
does  not  invest).  Similarly,  the  right  table  shows  the  game 
model  when  the  attacker  targets  User  j  and  User  i  can  only  be 
subject  to  collateral  damage.  The  fourth  line  in  each  table 
shows  when  User  i  chooses  to  invest  while  the  fifth  line 
shows  when  User  i  chooses  not  to  invest.  In  each  table,  the 
decision  of  User  j  is  represented  in  the  third  (Invest)  and 
fourth  (Not  invest)  column.  The  payoffs  in  each  block  are 
represented  in  three  lines.  The  first  line  is  User  Vs  payoff. 
The  second  line  is  User  j’s  payoff.  The  attacker  payoff  is 
represented  in  the  third  line. 

The  payoffs  are  calculated  as  follows:  If  the  player 
chooses  the  strategy  profile  ( / ,  I,  At),  both  users  invest  (play 
I)  while  the  attacker  targets  User  i  (A t)  (left  table,  fourth  line, 
third  column).  Then  both  users  get  the  reward  R.  Both  users 
incur  expense  e  because  both  of  them  have  invested  in 
security.  Since  the  attacker  targets  User  i  that  will  be 
compromised  with  probability  q7  (because  User  i  has 
invested),  it  will  incur  a  loss  Lt  if  compromised.  This  will 
result  in  an  expected  loss  of  q7Lj.  User  j  is  not  targeted  but 
can  incur  a  loss  Lj  if  the  attack  on  User  i  is  successful  (which 
happens  with  probability  qj  )  and  the  hypervisor  is 
compromised  (which  happens  with  probability  n).  This  is  an 
expected  loss  of  q^Lj  and  can  also  be  called  collateral 
damage  or  loss  from  an  indirect  attack.  The  attacker’s  payoff 
is  the  sum  of  the  expected  loss  of  all  the  usersUa(1, 1,A{)  = 
qjLi  +  qjuLj.  The  attacker’s  partial  payoff  qjLi  comes  from 
a  direct  attack  on  User  i  while  the  second  part  of  his  payoff 
qjnLj  is  the  result  of  an  indirect  attack  on  User  j  through  the 
hypervisor. 

However,  in  the  strategy  profile  (A,  I,  Aj),  User  i  has  not 
invested  (TV),  User  j  has  invested  (J)  and  the  attacker  targets 
User  i  (At)  (left  table,  fifth  line,  third  column).  The  User  i 
does  not  incur  any  expense  e  because  the  user  has  not 
invested  in  security.  However,  his  likelihood  of  being 
compromised  increases  to  qN.  Moreover,  although  User  j  has 
invested  in  security,  his  potential  losses  from  collateral 
damage  increase  to  qNnLj.  The  difference  qjuLj  —  qNnLj  = 
(qi  —  qN)nLj  is  a  negative  externality  that  User  i  imposes  on 
User  j  by  not  investing  while  User  i  is  the  prime  target  of  the 
attacker.  The  attacker’s  payoff  is  Ua(N,  I,  At)  =  qNLt  + 
qNnLj  >  q^i  +  q^Lj  =  Ua(1, /,A7).  The  inequality  holds 
because  of  (1).  The  players’  payoffs  in  the  other  six  strategy 
profiles  are  calculated  in  a  similar  way. 

V.  Game  analysis 

The  main  goal  of  this  analysis  is  to  derive  the  different 
Nash  equilibria  of  the  game  in  Table  I  and  understand  their 
consequence  for  both  users.  At  a  Nash  equilibrium  profile, 
no  player’s  payoff  can  be  increased  by  a  unilateral  deviation. 
Also,  each  player  is  playing  his  best  response  to  other 
players’  best  strategies.  Therefore,  the  Nash  equilibrium  can 


help  predict  the  behavior  of  any  rational  player  (/.  e.,  that 
want  to  maximize  their  payoff  in  a  game). 

We  observe  that  a  user  that  is  the  prime  target  must  be 
hurt  before  the  other  user  suffers  any  collateral  damage. 
Recall  that  the  prime  target’s  VM  must  be  compromised 
before  the  hypervisor  is  compromised.  Thus,  we  consider  in 
the  remainder  of  this  analysis  that  each  user  prefers  to  invest 
instead  of  not  investing  when  he  believes  that  he  is  the 
attacker’s  prime  target.  For  User  i  this  translates  to 
R  —  e  —  qjLt  >  R  —  qNLt  => 

e<(qN-  qj)Li  (4) 

Similarly,  for  User  j  this  translates  to 

R  -  e  -  qjLj  >  R  —  qNLj  => 

e  <(qN~  q,)Lj  (5) 

Also  observe  that  investing  in  security  is  the  best  option 
to  either  User  i  or  User  j  if  and  only  if  the  user  believes  that 
he  will  be  the  attacker’s  prime  target.  Also,  the  attacker 
targets  only  the  player  that  gets  him  the  higher  total  payoff 
(consisting  of  a  direct  and  indirect  payoff). 

Theorem  1: 

If  n  <  nQ  =  QlLj  QnL\  then  the  game  in  Table  I  admits  a 

U  qNLrqiLi9  & 

pure  strategy  Nash  equilibrium  profile  (A,  I,  Aj). 

Ifn  >  7i0,  there  are  three  possible  mixed  strategy  Nash 
equilibria  depending  on  the  required  expense  for  security  e. 

Proof: 

We  start  to  analyze  the  eight  different  pure  strategy 
profiles  to  see  if  one  can  be  a  Nash  equilibrium. 

Case  1:  Both  users  invest, 

Ua(l,I,AJ)-UaQ,I,At)  = 

{q,nLt  +  q,Lj)  -  {q,^  +  q,nLj )  =  q,(l  -  n){lj  -  Lt). 
Then  by  considering  (2)  and  (3)  we  have 
Ua(l,I,Aj )  -  UaO.I.At)  =  <7,(1  -  n){Lj  -  Lt)  >  0.  (6) 

Therefore,  the  attacker  gets  a  higher  payoff  by  targeting 
User  j  when  both  users  invest.  Thus  the  strategy  profile 
( I,I,Ai )  can  never  be  a  Nash  equilibrium  because  the 
attacker  can  increase  his  payoff  by  changing  his  strategy 
to  Aj.  This  gets  us  to  the  strategy  profile  (/,  I,  Aj )  that  cannot 
also  be  a  Nash  equilibrium  because  User  i  (not  being  the 
attacker’s  prime  target)  can  increase  his  payoff  by  changing 
his  strategy  from  /  to  N.  This  yields  the  strategy 
profile  ( N ,  I,  Aj )  that  we  study  in  Case  4  below. 

Case  2:  Both  users  do  not  invest, 

Ua(N,N,Aj)-UaiN,N,Ai)  = 

(qNnLi  +  q^Lj )  (<7^L,  +  qNuhj^  <7jv(1  —  L i )■ 

Then  by  considering  (2)  and  (3)  we  have 
U a(N ,  N ,  Aj)  —  Ua(N ,N,  A i) 

=  qN(l  -  n)(Lj  -  Lt)  >  0.  (7) 

Thus,  the  attacker  gets  a  higher  payoff  by  targeting  User 
j.  The  strategy  profile  ( N ,  NfAt )  cannot  be  Nash  equilibrium 
because  the  attacker  can  increase  his  payoff  by  changing  his 
strategy  to  Aj.  This  gets  us  to  the  strategy  profile  (A,  N,Aj) 
that  cannot  also  be  a  Nash  equilibrium  because  User  j  being 
the  attacker’s  prime  target  can  increase  his  payoff  by 
changing  his  strategy  from  N  to  I  (because  of  (5)).  This 
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yields  again  the  strategy  profile  ( N,I,Aj )  that  we  study  in 
Case  4  below. 

Case  3:  User  i  invests  while  User  j  does  not. 

We  can  see  from  Table  I  that 

UailN.Ad  =  Ua(I,I,Ad  =  qiLt  +  qinLj.  (8) 
Moreover, 

UaO.N.Aj)  -  Ua(l,l,Aj) 

=  (qNnLi  +  qNlj)  -  {ctnli  +  q,L})  => 
Ua{l,N,Aj)  -  Ua(l,I,Aj )  =  qN{lj  +  nLt)  -  q,{Lj  +  7 xLt) 

=  (c In  ~  <?/)(£;  +  nLi)  >  0.  (9) 

Note  that  the  last  inequality  in  (9)  holds  because  of  (1). 
Combining  (8)  and  (9)  we  have 

Ua(I,N,Ai)  =  Ua(I,I,Ai) 

and 


Ua(l,N,Aj )  >  Ujj.I.Aj )  => 

Ua(l,N,Aj)  -  Ua(J,N,At)  >  Ua(l,I,Aj)  -  Ua(I,I,At) 
Taking  (6)  into  consideration  we  have 

Ua(l,N,Aj )  -  Ua{I,N,At)  >  0.  (10) 

From  (10),  the  attacker  gets  a  higher  payoff  by  targeting 
User  j.  Thus  the  strategy  profile  (/,  cannot  be  Nash 

equilibrium  because  the  attacker  can  increase  his  payoff  by 
changing  his  strategy  to  Aj .  This  gets  us  to  the  strategy 
profile  (/,  N'Aj)  that  also  cannot  be  a  Nash  equilibrium 
because  User  j  (being  the  attacker’s  prime  target)  can 
increase  his  payoff  by  changing  his  strategy  from  N  to  / 
(because  of  (5)).  We  come  back  to  the  strategy  profile 
(/,  / ,Aj)  that  we  study  in  Case  1  above,  which  finally  yields 


Case  4  below. 

Case  4:  User  j  invests  while  User  i  does  not. 

Ua(N,I,Aj)  -  Ua(N,I,At) 

+  qNnLj) 

=  (qik  -  qNk)n  +  (uk  ~  qnk)  =  /O) 

We  can  see  that  f(n )  is  a  linear  function  with  slope 
(<qILi  —  qNLj)  and  initial  value  (q7L7-  —  qNL £).  From  (1)  and 


(3)  we  have  the  slope  —  qNLj  <  0  .  Thus,  f(n )  is 
decreasing.  Moreover,  there  is  a  unique  value  of  n  such  that 

n  r.  QiLj  ~  qN^i 

/(  tt)  =  0^n  =  n0=  — - - (11) 


—r  MV  —  MVQ  —  , 

Qn^j'  Ql^i 

Furthermore,  we  have  f(n)  >  0  for  n  <  n0  and  f(n)  < 
0  for  n  >  n0 .  Also, 

/(l)  =  ( q,Lt  -  qNhj )  +  (q,Lj  -  qNLt ) 

=  lq l  ~  qs)(k  +  Lj)  <  °-  (12) 


The  last  inequality  holds  because  of  (1). 
In  addition,  the  initial  value  is 


/( 0)  =  —  qNLi>  (13) 

which  can  be  either  negative  or  positive.  Observe  that 
because  of  (2)  the  condition  n  <  n0  can  hold  ifO  <  n0  <  1, 
and  by  the  Intermediate  Value  Theorem,  and  based  on  (12) 
and  (13),  it  is  only  possible  when  /( 0)  >  0  =>  qNLt  < 


qiLj  => 

Li<^Lj.  (14) 

HN 

Then  we  can  distinguish  two  subcases  (4a)  and  (4b). 


Subcase  (4a):  Ifn  <  n0,  then  we  have  Ua(N,I,Aj)  — 
Ua(N,I,Ai )  >  0.  Thus  the  attacker  prefers  to  attack  User  j 
than  to  attack  User  i.  User  j  prefers  to  invest  than  not  to 
invest  (see  (5)).  User  i  not  being  the  attacker’s  prime  target 
prefers  not  to  invest.  Then  the  strategy  profile  ( N,I,Aj )  is 
the  pure  strategy  Nash  equilibrium  of  the  game  because  no 
player  can  increase  his  payoff  by  a  unilateral  deviation. 

Subcase  (4b):  lfn0<n  (regardless  of  the  sign  of/(0)) 
we  have  f(n)  <  0  and  then  Ua{N,I,Aj)  —  Ua(N,  I,Ai)  <  0. 
The  attacker  prefers  to  attack  User  i  than  to  attack  User  j. 
Thus  the  strategy  profile  ( N,I,Aj )  cannot  be  Nash 
equilibrium  because  the  attacker  can  increase  his  payoff  by 
changing  his  strategy  to  At .  This  gets  us  to  the  strategy 
profile  (N,  7,i4j)  that  also  cannot  be  a  Nash  equilibrium 
because  User  i  being  the  attacker’s  prime  target  can  increase 
his  payoff  by  changing  his  strategy  from  N  to  I  (see  (4)). 
This  brings  us  to  the  Case  1  above  which  you  recall  brings  us 
to  Case  4.  Therefore,  this  circular  reasoning  tells  us  that  there 
is  no  pure  strategy  Nash  equilibrium.  However,  there  will  be 
a  mixed  strategy  Nash  equilibrium  that  we  analyze  next. 
Mixed  Strategy  Nash  Equilibrium: 

To  find  the  mixed  strategy  Nash  equilibrium,  we  set  three 
variables  a,  /?,  A  with 

0  <  a,  (3,A  <  1.  (15) 

a  represents  the  probability  by  which  the  User  i  plays  I. 
Since  User  i  has  only  two  strategies,  User  i  plays  N  with 
probability  1  —  a.  Similarly,  User  j  plays  /  with  probability 
/?  and  plays  N  with  probability  1  —  /?.  Likewise  the  attacker 
attacks  j  with  probability  A  and  attacks  i  with  probability  1  — 
A. 


By  definition,  User  i  plays  a  mixed  strategy  if  and  only  if 
his  payoff !/;(/)  when  playing  /  is  equal  to  his  payoff  U^N) 
when  Playing  N.  This  translates  to: 

Ut0)  =  Ut(N )  =>  (1  -X)P(R-e-  q,L0 

+  (1  -A)(l  -/?)(/?  -e-q,  lt) 
+A(3(R  —  e  —  q^Lj)  +  A(1  —  /?)(/?  -  e  —  qNnLi )  = 

(1  -  X)p{R  -  qNld  +  (1  -  A)(l  -  PXR  ~  qNk ) 
+W(R  ~  qink)  +  A(1  -  0)(R  -  qNnL £) 

»  ,  (Qn  —  qi)k  ~  e 

A.  —  A.} 


Equation  (4)  shows  that  0  <  At  <  1.  Also, 

UiO)  <  UtW  ^0  <At<A<l, 
and 


(16) 


(17) 


Ui  (/)  >  Ut  (A)  =>  0  <  A  <  <  1.  (18) 

This  means  that,  if  the  attacks  on  User  j  are  more 
frequent  than  Aj  (and  then  User  i  is  attacked  less  often),  then 
User  i  prefers  to  play  N.  User  i  plays  /  otherwise. 

Similarly,  User  j  plays  a  mixed  strategy  if  and  only  if  his 
payoff  UjO)  when  playing  /  is  equal  to  his  payoff  Uj  (A) 
when  playing  N.  This  translates  to: 

W  =  =  =  (19) 

Equation  (5)  shows  that  0  <  <  1.  Also, 

Uj(I)  <  Uj (N )  =>  0  <  A  <  Aj  <  1,  (20) 

and 


Uj{l)  >  Uj(N)  =>  0  <  Aj  <  A  <  1. 


(21) 
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Further,  the  attacker  plays  a  mixed  strategy  if  and  only  if 
his  payoff  t/a04j)  when  attacking  User  i  is  equal  to  his 
payoff  Ua (i4y )  when  attacking  User  j.  This  translates  to: 

Ua(.A{)  =  Ua(Aj )  =>  p(Lj  +  7 rLt)  -  a(Lt  +  nLj) 

=  (^v)^Li  +  nL^~^Li  +  nLj^  (22) 

Given  the  condition  in  (16),  (19)  and  (22),  we  can 
distinguish  three  cases  that  we  denote  Ml,  M2  and  M3 
depending  on  if  Ay  =  Xt ,  Ay  <  Xt ,  or  Ay  >  Xt .  Furthermore, 
we  will  see  that  the  total  expense  required  to  invest  in 
security  e  determines  which  of  the  mixed  strategy  is  used. 
Case  Ml:  If  =  Xt  => 

(qN  ~  qi)LiLj 

e  =  e°=  L^L,  ’  (23) 

then  any  strategy  profile  { al  +  (1  —  a)N ;  (31  + 
(1  —  (3)N ;  XjAj  +  (l  —  Xj)Ai],  with  a  and  (3  set  according 
to  (22)  is  a  mixed  strategy  Nash  equilibrium.  Recall  that  (15) 
must  hold. 

We  can  see  that  when  Xt  =£  Ay,  the  conditions  in  (17)-(18) 
and  (20)-(21)  dictate  that  only  one  user  plays  a  mixed 
strategy  at  a  time  while  the  other  plays  a  pure  strategy. 
Moreover,  the  attacker  chooses  the  value  of  A  that 
corresponds  to  the  user  playing  the  mixed  strategy.  This 
consideration  is  critical  to  understand  the  next  two  cases. 
Case  M2:  If  Ay  <  A*  => 

(qN  ~  q^LiLj 

e<e°=  Tj  +  Tj  ■  (24) 

and  A  =  Xh  then  according  to  (21),  User  j  plays  the  pure 
strategy  I.  This  means  that  (3  =  1 .  Setting  (3  =  1  in  (22) 
yields 

_  <7w(T  +  nLj)  -  +  nLt) 

a°  (qN-q. i){Li+nLj) 

We  can  verify  that  0  <  a0  <  1  when  n  >  n0  and  (1),  (2) 
and  (3)  hold.  Therefore,  the  strategy  profile  { a0I  + 
(1  —  a0)N;  /;  XtAj  +  (1  —  A^A  J  is  a  mixed  strategy  Nash 
equilibrium.  Observe  that  the  low  profile  User  i  is  more 
likely  to  invest  in  this  mixed  strategy  Nash  equilibrium 
compared  to  the  pure  strategy  Nash  equilibrium  {N ,  I,  Aj ).  In 
this  scenario,  it  is  relatively  cheap  to  invest  in  security  as 
shown  in  (24). 

However,  If  Ay  <  Xt  and  A  =  Ay,  then  according  to  (18) 
User  i  plays  the  pure  strategy  I.  This  means  that  a  =  1 . 
Setting  a  =  1  in  (22)  yields 

_  qN{Lj  +  nLj)  -  +  nLj )  ^ 

P  -  ..  S  N  ^  -L  . 


(<7 N  -  Ch){li  +  nLj ) 

The  last  Inequality  in  (26)  holds  when  (1),  (2), 
holds.  This  is  a  contradiction  with  (15). 

Case  M3:  If  Ay  >  Xt  => 

C qN  ~  qi)LtLj 

— ^7 —  <  e  <  (9jv  - 

Note  that  the  last  inequality  must  hold  because  of  (4).  Thus 
according  to  (17),  when  A  =  Ay  ,  User  i  plays  the  pure 
strategy  N.  This  means  that  a  =  0 .  Setting  a  =  0  in  (22) 
yields: 


(26) 
and  (3) 

(27) 


/?  =  /?o  = 


qN[{Lj  +  nLj)  -  (Lt  +  nLj)\ 


(28) 


(q N  -  qi){lj  +  nLj) 

We  can  verify  that  0  <  (30  <  1  when  n  >  n0  and  (1),  (2) 
and  (3)  hold.  Therefore,  the  strategy  profile  [N;  (3qI  + 
(1  —  (3q)N)  XjAj  +  (l  —  Ay)i4  J  is  a  mixed  strategy  Nash 
equilibrium.  Observe  that  the  high  profile  User  j  is  less  likely 
to  invest  in  this  mixed  strategy  Nash  equilibrium  compared 
to  the  pure  strategy  Nash  equilibrium  ( N,I,Aj ).  In  this 


scenario,  it  is  relatively  more  expensive  to  invest  in  security 
as  shown  in  (27). 

However,  If  Ay  >  Xt  and  A  =  Xh  then  according  to  (20), 
User  j  plays  the  pure  strategy  N.  This  means  that  (3  =  0 . 
Setting  (3  =  0  in  (22)  yields: 

(qN  -  qi)(k  +  nLj) 

The  last  inequality  in  (29)  holds  when  (1),  (2),  and  (3) 
hold.  This  is  a  contradiction  with  (15).  H 

In  summary,  we  have  shown  that  the  low  profile  User  i 
imposes  two  different  types  of  negative  externalities  on  the 
high  profile  User  j  in  the  cloud.  If  Lt  is  low  enough  in  such  a 
way  that  (14)  holds  and  n  <  n0,  then  in  the  pure  strategy 
profile  ( N,I,Aj )  shown  in  subcase  (4a),  the  attacker  targets 


the  high  profile  user  even  though  the  high  profile  user  (User 
j)  invests  in  security  while  the  low  profile  user  (User  i)  does 
not  invest.  User  j  is  the  attacker’s  only  target.  This  is  the  first 
type  of  negative  externality.  When  Lt  is  high  enough  in  such 
a  way  that  (14)  does  not  hold,  then  n  >  7r0and  the  attacker  is 
forced  to  play  a  mixed  strategy.  The  specific  mixed  strategy 
is  determined  by  the  total  expense  required  to  invest  in 
security  e.  However,  User  i  produces  the  second  type  of 
negative  externality  by  investing  less  often  than  User  j  in  all 
those  mixed  strategies.  In  fact,  there  is  no  Nash  equilibrium 
in  which  the  low  profile  user  (User  /)  plays  the  pure  strategy 


/. 


Furthermore,  with  low  value  of  e  (Case  M2),  it  can  be 
shown  that  User  V  s  probability  to  invest  a0  (see  (25)) 
increases  with  Lt  to  the  benefit  of  User  j.  Recall  that  in  Case 
M2,  User  j  always  invests.  However,  if  the  value  of  e  is  high 
(Case  M3),  it  is  easy  to  verify  that  User  j  probability  to 
invest  in  security  (30  (see  (28))  decreases  with  Lt.  Recall  that 
in  Case  M3,  User  i  does  not  invest  (play  N).  A  high  value  of 
e  causes  an  under  investment  problem  in  cloud  security. 

In  short,  it  is  important  for  a  high  profile  user  to  be 
collocated  with  other  high  profile  users  in  a  public  cloud. 
The  notion  of  externality  has  always  being  perceived  in  the 
housing  market.  In  fact,  the  value  of  other  homes  in  the  same 
neighborhood  influences  the  price  of  any  particular  home.  As 
a  consequence,  a  rational  home  buyer  will  try  to  find  out  who 
are  his  neighbors  before  buying  a  home.  A  similar  concept 
should  apply  to  cloud  computing.  It  can  be  important  that  a 
cloud  user  knows  who  his  neighbors  are.  A  cloud  user’s 
neighborhood  is  the  set  of  users  with  whom  he  shares  the 
same  resources  (hypervisor,  CPU  cycle,  DRAM  of  the 
physical  machine,  physical  memory,  and  network  buffers). 
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VI.  Numerical  Results 

Our  game  analysis  has  provided  a  detailed  exposition  of 
our  game  model  and  its  equilibrium  properties.  The 
numerical  results  in  this  section  are  derived  from  our  game 
analysis.  The  main  variables  used  in  calculating  pure  and 
mixed  strategy  equilibrium  were  R,  qh  qN,  Lit  Lj,  n,  and  e  . 
We  will  use  specific  numbers  to  provide  concrete  examples 
and  examine  the  three  cases  in  which  we  will  increase 
e,  Lj,  and  n  individually  while  ceteris  paribus. 


from  negative  to  positive,  as  in  Fig.  2,  makes  the  cloud  a 
viable  option.  Interestingly,  the  payoff  does  not  cross  over 
again  to  become  negative  after  this  original  movement  of 
equilibriums.  This  means  that  for  all  values  of  0.102  <  n  < 
1,  User  j  will  participate  in  the  cloud  if  0.3636  <  e  <  0.4. 
Another  surprising  result  is  that  User  /  s  payoff  is  higher  in 
Fig.  3  compared  to  Fig.  2  although  the  required  expense  in 
security  e  in  Fig.  3  is  higher.  Fig.  4  and  5  show  more  details 
in  the  change  of  User  /  s  payoff  with  e. 


A.  Changes  in  User  j ’s  Payoff  with  Probability  n 

In  this  first  scenario,  we  will  take  the  value  of  n  to  be 
variable  while  setting  values  for  all  the  other  parameters.  We 
will  take  qN  =  0.5 ,  q7  =  0.1  ,R  =  1.2,  Lt  =  1  ,Lj  =  10  . 
Those  values  are  chosen  to  illustrate  some  of  the  non- 
intuitive  implications  of  our  game  model.  Using  (1 1),  we  can 
see  that  n0  =  0.102.  Furthermore,  with  (23)  we  can  see  that 
e0  =  0.3636.  Moreover,  (27)  gives  us  0.3636  <  e  <  0.4. 
Recall  that  in  case  of  a  mixed  strategy  Nash  equilibrium 
(n  >  7i0  =  0.102),  the  value  of  e  determines  which  of  the 
mixed  strategy  Nash  equilibrium  (Case  Ml,  M2  or  M3)  is 
selected  by  the  players.  In  Fig.  2,  we  set  e  =  0.3  ( e  <  ef)  so 
that  once  the  critical  value  of  n  is  reached,  the  mixed 
strategy  Nash  equilibrium  will  be  as  Case  M2. 

We  immediately  see  that  the  payoff  for  User  j  in  pure 
Nash  equilibrium  is  negative.  When  the  payoff  of  a  rational 
user  is  negative,  he  prefers  not  to  use  the  cloud.  So,  for  all 
values  of  n  <  0.102  the  User  which  is  assumed  to  be 
rational  in  our  model,  will  not  use  the  cloud  because  the  risk 
of  a  security  breach  and  negative  externalities  of  using  the 
cloud  are  greater  than  the  multiple  benefits  that  cloud 
computing  provides.  Recall  that  in  the  pure  strategy  Nash 
equilibrium,  User  j  is  at  a  disadvantage  because  he  is  the 
attacker’s  only  target. 

However,  at  n  =  0.102  there  is  a  strategy  change  from 
pure  to  mixed  due  to  (11),  and  as  at  this  point  the  strategies 
shift.  With  a  shift  in  Nash  equilibrium  and  players’ 
strategies,  there  is  a  concurring  change  in  the  function  used 
as  it  is  a  new  set  of  equations  governing  the  strategies.  This 
allows  for  a  positive  payoff  for  0.102  <  n  <  0.47837  and 
implies  that  User  j  will  participate  in  the  cloud  for  the 
aforementioned  values  of  n.  These  results  are  seemingly 
counterintuitive  since  the  hypervisor  has  a  higher  probability 
of  being  compromised  when  User  j  participates  in  cloud 
activities  than  when  he  does  not.  This  is  explained  by  the 
equilibrium  shift  to  a  mixed  strategy  where  the  attacker  is  not 
only  attacking  User  j  but  also  User  i.  This  lowers  User  / s 
potential  loss  and  thus  shifts  his  payoff  upwards. 

Examining  Fig.  2  again,  the  payoff  becomes  negative 
again  as  n  crosses  0.47837,  which  shows  that  User  j  will 
again  not  participate  in  the  cloud  for  all  values  of  0.47837  < 
7i  <  1  since  the  probability  of  being  compromised  from  an 
indirect  attack  is  now  too  high  to  justify  cloud  usage. 

By  setting  e  =  0.38  and  upholding  (27),  Fig.  3  shows  the 
strategy  shift  from  pure  Nash  equilibrium  to  the  mixed  Nash 
equilibrium  in  Case  M3.  Still,  for  values  of  7i  <  0.102,  User 
j  will  not  participate  in  the  cloud  because  of  his  negative 
payoff.  Although  once  n  crosses  0.102,  a  change  in  payoff 
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Figure  2:  Changes  in  User /  s  payoff  with  probability  n  with  e  <  e0. 
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Figure  3:  Changes  in  User  j’s  payoff  with  probability  n  with  e  >  e0. 
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B.  Changes  of  User  j ’s  Payoff  with  the  Expense  in  Security 
e 

We  have  already  examined  the  case  of  pure  Nash 
equilibrium  and  2  cases  of  mixed  strategy  equilibrium 
dependent  on  the  varying  values  of  n.  We  will  now  make  n  a 
constant  while  varying  the  levels  of  e.  As  stated  before,  the 
value  of  7i0  =  0.102  is  a  focal  point  between  mixed  and  pure 
strategy  equilibrium.  In  this  case  of  7i  <  0.102,  User  j  has 
only  one  (pure)  strategy,  whose  payoff  of  R  —  e  —  q{Lj 
yields  the  linear  function  in  Fig.  4. 

The  “x”  intercept  where  the  payoff  is  0  (at  e  =  0.2)  is  yet 
another  turning  point  where  User  j  will  no  longer  use  the 
cloud.  For  values  0  <  e  <  0.2,  User  j  will  participate  in  the 
cloud  because  of  the  low  overhead  of  investing  in  security. 
However,  for  e  >  0.2,  the  cost  is  too  great  to  allow  for  a 
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positive  payoff  and  User  j  will  not  use  the  cloud.  For  .102< 
7i  <  1  the  players’  strategies  are  switched  and  the  entire 
payoff  map  changes  as  seen  in  Fig.  5. 

In  Fig.  5,  we  have  set  n  =  0.11  >  n0  and  thus  we  can 
see  the  three  different  cases  of  mixed  strategy:  Case  M2  ( e  < 
0.3636),  Case  Ml  (e  =  0.3636)  and  Case  M3  (3636  <  e  < 
.4).  The  major  shift  from  Case  M2  to  Case  M3  occurs  at  the 
threshold  of  e  =  0.3636  (Case  Ml)  due  to  (23)  stated  in  the 
previous  analysis.  For  0  <  e  <  0.3636,  the  change  from 
using  to  not  using  the  cloud  occurs  ate  =  0.08606  when  the 
payoff  becomes  negative. 


Changes  in  User  j's  Payoff  with  the  Expense  in  Security  e 


Figure  4:  Changes  of  User  /  s  payoff  with  the  expense  in  security  e  with 

TC  7Tq  . 

Changes  in  User  j's  Payoff  with  the  Expense  on  Security  e 

0.8 
0.6  - 
0.4  - 

5-  Changes  in  mixed  Nash  equilibrium  >- 

U  0.2  -  - 

CL 

CO  0  • 

3  -0.2  -  - 

Z) 

-0.4  - 
-0.6  - 

-0.8’- . 

0  0.05  0.1  0.15  0.2  0.25  0.3  0.35  0.4 

Expense  on  Security  e 

Figure  5:  Changes  of  User /  s  payoff  with  the  expense  in  security  e  with 

7T  >  71  q. 

When  the  expense  e  increases  and  0.3636  <  e  <  0.4,  the 
shift  in  mixed  Nash  equilibrium  from  Case  M2  to  Case  M3 
causes  the  payoff  to  change  and  become  positive.  Thus  it 
becomes  possible  for  User  j  to  profitably  use  cloud  services. 
This  is  a  counter  intuitive  result  from  this  analysis.  One  may 
expect  an  increase  of  the  expense  e  to  never  benefit  User  j. 
However,  in  this  game  theoretic  setting,  User  /  s  payoff 
depends  not  only  of  his  own  action  but  also  on  the  action  of 
User  z  and  the  attacker.  The  increase  of  the  expense  e 
changes  User  z’s  and  the  attacker’s  strategy  is  in  such  a  way 
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that  it  has  an  overall  positive  effect  on  User  /  s  payoff.  In 
Case  M3,  User  j  invests  with  probability  /?0  as  opposed  to  1 
in  Case  M2.  This  yields  some  savings  that  increases  User / s 
overall  payoff.  Recall  that  moving  from  Case  M2  to  M3 
changes  the  mixed  strategy  Nash  equilibrium  from  { a0I  4- 
(1  -  a0)N;  /;  AtAj  +  (1  -  to  fV;  /?„/  +  (1  - 

/?0)/V;  AjAj  +  (l  —  Aj)A(}.  Note  also  that  for  e  >  0.4,  Case 
M3  no  longer  applies  as  consistent  with  (4). 

C.  Changes  in  User  j ’s  payoff  with  his  loss  from  security 

breach  Lj 

Now  that  the  variability  of  n  and  e  -  and  their  resulting 
equilibrium  shifts  they  cause  -  have  been  examined,  we  will 
examine  Fig.  6  at  the  phenomena  in  equilibrium  changes 
associated  with  varying  values  of  Lj .  Since  Lj  is  a  variable  in 
both  the  equations  that  govern  the  values  of  n0  (Equation 
(11))  and  e0  (Equation  (23)),  we  must  set  specific  values  for 
it  and  e  in  order  to  avoid  a  problem  of  double  variables.  For 
the  rest  of  the  analysis  of  Ly,  we  will  set  n  =  0.1  and  e  = 
0.3.  Recall  that  we  have  set  Lt  =  1.  Therefore,  Lj  is  a  direct 
indication  of  how  much  time  Lj  is  bigger  than  Lt. 

Unlike  the  previous  two  problems  in  which  a  certain 
change  in  the  discrete  value  of  n  with  a  varying  e  could 
cause  an  equilibrium  shift,  there  is  no  such  change  here.  Here 
the  values  of  n  and  e  are  constant  and  Lj  is  the  unique 
variable.  As  can  be  seen  in  Fig.  6,  any  value  of  Lj  >  9.8  will 
result  in  a  pure  Nash  equilibrium  due  to  (11).  Further,  (23) 
shows  that  when  3  <  Lj  <  9.8  the  mixed  strategy  Nash 
equilibrium  profile  of  Case  M2  will  hold,  Case  Ml  holds 
for  Lj  =  3,  and  if  1  <  Lj  <  3,  then  Case  M3  will  be  used. 
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Figure  6:  Changes  in  User  /  s  payoff  with  his  loss  from  security  breach  Lj. 


These  results  show  that  Case  M3  is  the  “best”  of  all  the 
equilibriums  because  User  f  s  potential  loss  Lj  is  so  close  to 
User  z’s  loss  Lt.  An  obvious  result  is  that  User  / s  payoff  is 
maximized  in  Case  M3  when  Lj  is  close  to  Lj  =  1.  That  is 
because  there  is  no  imbalance  between  Lt  and  Lj  and  thus  the 
negative  externalities  are  minimized.  The  negative 
externality  in  a  public  cloud  security  can  be  mitigated  by 
putting  VMs  that  have  similar  potential  loss  from  a  security 
breach  in  the  same  physical  machine.  However,  a  surprising 
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result  is  that  User  /  s  payoff  jumps  up  concurrent  with 
switching  from  the  mixed  Nash  equilibrium  (Case  M2)  to  the 
pure  Nash  equilibrium  despite  the  fact  that  Lj  becomes 
substantially  greater  than  7^.  For  instance,  User  / s  payoff 
when  Lj  =  4 Lt  equals  User / s  payoff  when  Lj  =  10 Lt.  This 
prediction  is  not  possible  without  a  thorough  game  theoretic 
analysis. 

D.  Changes  in  User  j ’s  payoff  with  his  reward  from  using 

the  cloud 

For  the  constant  R,  changing  it  will  have  a  trivial  effect 
on  any  of  the  given  graphs  shown.  As  seen  in  Fig.  7,  a 
change  in  the  value  of  R  will  cause  the  graph  to  translate 
upward  or  downward  depending  on  the  new  value  of  R 
selected.  For  this  particular  instance,  if  the  reward  for  using 
the  cloud  is  increased  from  1.2  to  4.4,  the  entire  payoff 
scheme  from  1  <  Lj  <  14  becomes  positive  since  the 
increased  level  of  reward  increases  the  payoff. 


Changes  in  User  j's  Payoff  with  his  Reward  from  Using  the  Cloud 
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Figure  7:  Changes  in  User  /  s  payoff  with  his  reward  from  using  the  cloud. 

VII.  Model  Extension  and  Discussion 

The  model  we  have  presented  so  far  has  considered  two 
users  and  one  attacker.  However,  our  model  can  be  extended 
to  more  than  two  users  and  multiple  attackers. 

A.  Model  Extension  to  more  than  two  Users  and  a  Single 

Attacker 

All  the  assumption  made  in  our  game  model  in  Section 
IV  remains  valid  except  that  we  increase  the  number  of  users 
from  2  to  n.  The  n  users  are  denoted  User  7,  User  2,  . . .,  User 
n- 7,  User  n.  Their  potential  loss  from  a  security  breach  is  L1? 
L2,  ...,Ln_1,  Ln  respectively.  We  consider  that  L±  <  L2  < 
•  <  Ln_1  <  Ln.  The  attacker  targets  one  of  the  n  users.  A 
similar  analysis  as  above  shows  that  the  game  admits  a  pure 
strategy  Nash  equilibrium  if  Ln  is  substantially  greater  than 
Ln_1.  In  this  Nash  equilibrium,  User  n  is  the  attacker’s  only 
target.  The  attacker  plays  the  strategy  An,  User  n  invests 
(plays  7)  while  all  the  other  users  do  not  invest  (play  N). 
Regarding  the  threshold  value  of  n  below  for  which  we  have 
a  pure  strategy  Nash  equilibrium,  (11)  translates  to 


*  _  Ql^n  1 

no  ~  „  r  „  j  ■  (30) 

HNLn  HlLn-l 

As  before,  the  game  admits  a  multitude  of  mixed 
strategies  if  n  >  Uq  .  The  expense  e  will  determine  the 
specific  mixed  strategy  the  players  choose. 

B.  Model  Extension  to  more  than  two  Users  and  Multiple 

Attacker 

In  a  game  with  multiple  independent  attackers,  each 
attacker  maximizes  his  own  payoff.  If  n  <  Uq,  each  attacker 
plays  the  strategy  An  and  User  n  invests  (plays  7)  while  all 
the  other  users  do  not  invest  (play  N).  However,  the  game 
complexity  increases  if  the  attackers  collude  by  coordinating 
their  action  and  sharing  the  payoff.  Nevertheless,  an  increase 
in  the  number  of  attackers  increases  the  likelihood  that  a 
given  user  can  be  targeted  by  one  attacker  and  eventually  get 
compromised.  As  the  number  of  attackers  increases,  the 
cloud  environment  becomes  more  hostile  and  more  users 
will  be  forced  to  invest  (because  of  (4)  and  (5)). 

Another  consideration  is  the  users’  payoff  structure. 
There  are  applications  in  which  a  user  incurs  the  same  loss 
after  being  compromised  by  a  single  attacker  or  multiple 
attackers  e.g .,  information  integrity  can  be  lost  when  either  a 
few  bits  or  when  many  bits  of  a  data  item  become  useless. 
Either  critical  data  are  well  protected  or  they  are  not. 
However,  the  severity  of  other  types  of  attacks  such  as  a 
Distributed  Denial  of  Service  (DDoS)  increases  with  the 
number  of  attackers  involved. 

VIII.  Conclusion 

The  lack  of  an  accurate  evaluation  of  the  negative 
externalities  stemming  from  a  high  profile  organization  using 
the  cloud  could  result  in  the  refusal  of  such  organizations 
from  joining  a  public  cloud  in  spite  of  the  many  advantages 
that  cloud  computing  offers.  The  negative  externalities  of 
using  a  public  cloud  come  from  the  fact  that  the  users  are  not 
perfectly  isolated  from  one  another.  They  share  common 
resources  such  as  the  hypervisor,  the  last-level  cache  (LLC), 
memory  bandwidth,  and  10  buffers  that  cause 
interdependency. 

This  research  has  used  game  theory  to  provide  a 
quantitative  approach  to  perform  a  cost  benefit  analysis  of 
cloud  services  while  taking  into  account  the  action  of  other 
cloud  users  and  their  different  potential  losses  from  a 
security  breach.  Our  model  takes  into  account  the  potential 
collateral  damage  from  an  indirect  attack  and  cross  side 
channel  attack.  The  game  has  multiple  possible  Nash 
equilibria  that  can  be  in  pure  or  mixed  strategy.  Our  research 
finds  that  an  increase  in  the  probability  that  the  hypervisor  is 
compromised,  given  a  successful  attack  on  a  user’s  VM,  may 
force  the  small  cloud  participant  to  protect  their  VM  and  thus 
increases  the  overall  cloud  security  to  yield  better  outcome  to 
high  profile  users. 

This  research  has  also  shown  that  there  is  an  intricate 
relationhip  between  the  total  expenses  required  to  invest  in 
security  and  a  high  profile  user’s  payoff.  A  change  in 
security  expense  changes  the  game  Nash  equilibria  that  the 
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players  adopt  with  some  of  those  equilibria  being  more 
desirable  to  high  profile  users. 

Definitely,  the  negative  externality  in  a  public  cloud 
security  can  be  mitigated  by  putting  VMs  that  have  similar 
potential  loss  from  a  security  breach  in  the  same  physical 
machine. 

According  to  Ross  Anderson,  information  security  is 
hard  because  defenders  have  to  defend  everywhere  and 
attackers  could  attack  anywhere  [16].  This  leads  to  many 
problems  for:  network  defenders,  users,  for  software  used  in 
critical  infrastructure,  a  small  business,  or  a  division  in  the 
United  States  government.  Moreover,  these  security 
problems  are  exacerbated  when  using  cloud  computing.  By 
utilizing  game  theory,  we  can  more  accurately  describe  the 
nature  of  the  attacker  and  his  motives.  However,  sometimes 
our  best  friend  can  be  our  worst  enemy.  Other  players’ 
behaviors  can  be  seemingly  erratic  and  even  counterintuitive, 
which  can  be  very  dangerous  when  your  decisions  are  based 
on  the  decisions  of  others.  With  game  theory,  we  can  quell 
some  of  this  contradictory  behavior  that  is  characteristic  of 
network  security  and  bring  clarity  to  this  complex  topic. 
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